New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security vulnerabilities due to old dependancies #182

Closed

Euphorbium opened this issue Jan 31, 2019 · 1 comment

Euphorbium commented Jan 31, 2019

flask version Before 0.12.3 contains a CWE-20: Improper Input Validation vulnerability in flask that can result in Large amount of memory usage possibly leading to denial of service. This attack appear to be exploitable via Attacker provides JSON data in incorrect encoding. This vulnerability appears to have been fixed in 0.12.3.

The Requests package before 2.19.1 sends an HTTP Authorization header to an http URI upon receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover credentials by sniffing the network.

The versions of these libraries should be updated, especially since flask 1.0 has been released for a while now.

This was referenced Sep 2, 2019

Full upgrade #192

Closed

Full upgrade of dependent libraries #193

Merged

Contributor

nk9 commented Sep 2, 2019

This can now be closed.

abhisuri97 closed this as completed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment